Identifies multiple successive Google Workspace groups joined or requested to join in short succession, which could indicate attempts to Discover, Collection, or Exfiltration.
Target Ruleset
google_workspace
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
from logs-google_workspace*
| mv_expand event.type
| where event.type == "group" and to_lower(event.action) in ("join", "request_to_join")
| stats total_requests = count(*) by source.user.name
| where total_requests > 5
| sort total_requests desc
This could also be a threshold rule
New fields required in ECS/data sources for this rule?
Description
Identifies multiple successive Google Workspace groups joined or requested to join in short succession, which could indicate attempts to
Discover,Collection, orExfiltration.Target Ruleset
google_workspace
Target Rule Type
ES|QL
Tested ECS Version
No response
Query
This could also be a threshold rule
New fields required in ECS/data sources for this rule?
No response
Related issues or PRs
No response
References
No response
Redacted Example Data
No response